背景信息:

Windows AD Version: Windows Server 2012 R2 zh-cn

计算机全名:hlm12r2n1.hlm.com

域:hlm.com

域控管理员:stone

普通用户:abc; bcd

普通组:hlmgroup,用户bcd在该组下

IP:10.0.0.6

Linux服务器:

具有root权限的用户:ltsstone

操作步骤:

安装所需包文件:

  1. yum install -y krb5-workstation realmd sssd samba-common adcli oddjob oddjob-mkhomedir samba samba-common-tools

编辑/etc/resolve.conf文件,将DNS指向DC

  1. [root@hlmcen75n2 ~]# cat /etc/resolv.conf
  2. ; generated by /usr/sbin/dhclient-script
  3. search lqvi3agp2gsunp1mlkwv0vudne.ax.internal.chinacloudapp.cn
  4. nameserver 10.0.0.6

编辑/etc/hosts文件,添加DC的IP及域的对应关系

  1. [root@hlmcen75n2 ~]# cat /etc/hosts
  2. 127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
  3. ::         localhost localhost.localdomain localhost6 localhost6.localdomain6
  4. 10.0.0.6 hlm12r2n1.hlm.com

将Linux机器加入域

  1. [root@hlmcen75n2 ~]# realm join hlm12r2n1.hlm.com -U stone
  2. Password for stone:

发现可以成功发现域了

  1. [root@hlmcen75n2 ~]# realm list
  2. hlm.com
  3.   type: kerberos
  4.   realm-name: HLM.COM
  5.   domain-name: hlm.com
  6.   configured: kerberos-member
  7.   server-software: active-directory
  8.   client-software: sssd
  9.   required-package: oddjob
  10.   required-package: oddjob-mkhomedir
  11.   required-package: sssd
  12.   required-package: adcli
  13.   required-package: samba-common-tools
  14.   login-formats: %U@hlm.com
  15.   login-policy: allow-permitted-logins
  16.   permitted-logins:
  17.   permitted-groups: hlmgroup@hlm.com

将组hlmgroup加入域

  1. [root@hlmcen75n2 sudoers.d]# realm permit -g hlmgroup@hlm.com

可以看到用户stone,abc,bcd可以被成功发现

  1. [root@hlmcen75n2 ~]# id stone@hlm.com
  2. uid=(stone) gid=(domain users) groups=(domain users),(group policy creator owners),(domain admins),(schema admins),(denied rodc password replication group),(enterprise admins)
  3.  
  4. [root@hlmcen75n2 ~]# id abc@hlm.com
  5. uid=(abc) gid=(domain users) groups=(domain users)
  6.  
  7. [root@hlmcen75n2 ~]# id bcd@hlm.com
  8. uid=(bcd) gid=(domain users) groups=(domain users),(hlmgroup)

为使用户不需用带域名就可以被识别,需要修改配置文件/etc/sssd/sssd.conf,将use_fully_qualified_names行的True值修改为False

  1. [root@hlmcen75n2 ~]# cat /etc/sssd/sssd.conf
  2.  
  3. [sssd]
  4. domains = hlm.com
  5. config_file_version =
  6. services = nss, pam
  7.  
  8. [domain/hlm.com]
  9. ad_server = hlm12r2n1.hlm.com
  10. ad_domain = hlm.com
  11. krb5_realm = HLM.COM
  12. realmd_tags = manages-system joined-with-adcli
  13. cache_credentials = True
  14. id_provider = ad
  15. krb5_store_password_if_offline = True
  16. default_shell = /bin/bash
  17. ldap_id_mapping = True
  18. use_fully_qualified_names = False
  19. fallback_homedir = /home/%u@%d
  20. access_provider = simple
  21. simple_allow_groups = hlmgroup@hlm.com

重启sssd服务,重新列出预控信息

  1. [root@hlmcen75n2 ~]# systemctl restart sssd
  2. [root@hlmcen75n2 ~]# realm list
  3. hlm.com
  4.   type: kerberos
  5.   realm-name: HLM.COM
  6.   domain-name: hlm.com
  7.   configured: kerberos-member
  8.   server-software: active-directory
  9.   client-software: sssd
  10.   required-package: oddjob
  11.   required-package: oddjob-mkhomedir
  12.   required-package: sssd
  13.   required-package: adcli
  14.   required-package: samba-common-tools
  15.   login-formats: %U
  16.   login-policy: allow-permitted-logins
  17.   permitted-logins:
  18.   permitted-groups: hlmgroup@hlm.com

发现不加域信息,Linux服务器也可以识别域用户

  1. [root@hlmcen75n2 ~]# id stone
  2. uid=(stone) gid=(domain users) groups=(domain users),(group policy creator owners),(domain admins),(schema admins),(denied rodc password replication group),(enterprise admins)
  3. [root@hlmcen75n2 ~]# id abc
  4. uid=(abc) gid=(domain users) groups=(domain users)
  5. [root@hlmcen75n2 ~]# id bcd
  6. uid=(bcd) gid=(domain users) groups=(domain users),(hlmgroup)

尝试切换到域用户,发现无法进入root管理员权限,提示

  1. [root@hlmcen75n2 ~]# su - abc
  2. Last login: Mon Sep  :: UTC  on pts/
  3. [abc@hlmcen75n2 ~]$ sudo su - root
  4.  
  5. We trust you have received the usual lecture from the local System
  6. Administrator. It usually boils down to these three things:
  7.  
  8.     #) Respect the privacy of others.
  9.     #) Think before you type.
  10.     #) With great power comes great responsibility.
  11.  
  12. [sudo] password for abc:
  13. abc is not in the sudoers file.  This incident will be reported.
  14. [abc@hlmcen75n2 ~]$

编辑 /etc/sudoers.d/waagent 文件,将需要root权限的用户加入到其下

  1. [root@hlmcen75n2 ~]# vim /etc/sudoers.d/waagent
  2. [root@hlmcen75n2 ~]# cat /etc/sudoers.d/waagent
  3. ltsstone ALL=(ALL) ALL
  4. abc ALL=(ALL) ALL

重新尝试切换root用户,发现已经可以

  1. [root@hlmcen75n2 ~]# sudo su - abc
  2. Last login: Tue Sep  :: UTC  on pts/
  3. [abc@hlmcen75n2 ~]$ sudo su - root
  4. [sudo] password for abc:
  5. Last login: Tue Sep  :: UTC  on pts/
  6. [root@hlmcen75n2 ~]#

备注:

执行命令:realm join hlm12r2n1.hlm.com -U stone,messages日志发现加入域的认证过程如下:

  1. Sep  :: hlmcen75n2 realmd: * Resolving: _ldap._tcp.hlm12r2n1.hlm.com
  2. Sep  :: hlmcen75n2 realmd: * Resolving: hlm12r2n1.hlm.com
  3. Sep  :: hlmcen75n2 realmd: * Performing LDAP DSE lookup on: 10.0.0.6
  4. Sep  :: hlmcen75n2 realmd: * Successfully discovered: hlm.com
  5. Sep  :: hlmcen75n2 realmd: * Required files: /usr/sbin/oddjobd, /usr/libexec/oddjob/mkhomedir, /usr/sbin/sssd, /usr/sbin/adcli
  6. Sep  :: hlmcen75n2 realmd: * LANG=C /usr/sbin/adcli join --verbose --domain hlm.com --domain-realm HLM.COM --domain-controller 10.0.0.6 --login-type user --login-user stone --stdin-password
  7. Sep  :: hlmcen75n2 realmd: * Using domain name: hlm.com
  8. Sep  :: hlmcen75n2 realmd: * Calculated computer account name from fqdn: HLMCEN75N2
  9. Sep  :: hlmcen75n2 realmd: * Using domain realm: hlm.com
  10. Sep  :: hlmcen75n2 realmd: * Sending netlogon pings to domain controller: cldap://10.0.0.6
  11. Sep  :: hlmcen75n2 realmd: * Received NetLogon info from: hlm12r2n1.hlm.com
  12. Sep  :: hlmcen75n2 realmd: * Wrote out krb5.conf snippet to /var/cache/realmd/adcli-krb5-zqaVb2/krb5.d/adcli-krb5-conf-N3Soi1
  13. Sep  :: hlmcen75n2 realmd: * Authenticated as user: stone@HLM.COM
  14. Sep  :: hlmcen75n2 realmd: * Looked up short domain name: HLM
  15. Sep  :: hlmcen75n2 realmd: * Using fully qualified name: hlmcen75n2
  16. Sep  :: hlmcen75n2 realmd: * Using domain name: hlm.com
  17. Sep  :: hlmcen75n2 realmd: * Using computer account name: HLMCEN75N2
  18. Sep  :: hlmcen75n2 realmd: * Using domain realm: hlm.com
  19. Sep  :: hlmcen75n2 realmd: * Calculated computer account name from fqdn: HLMCEN75N2
  20. Sep  :: hlmcen75n2 realmd: * Generated  character computer password
  21. Sep  :: hlmcen75n2 realmd: * Using keytab: FILE:/etc/krb5.keytab
  22. Sep  :: hlmcen75n2 realmd: * Found computer account for HLMCEN75N2$ at: CN=HLMCEN75N2,CN=Computers,DC=hlm,DC=com
  23. Sep  :: hlmcen75n2 realmd: * Sending netlogon pings to domain controller: cldap://10.0.0.6
  24. Sep  :: hlmcen75n2 realmd: * Received NetLogon info from: hlm12r2n1.hlm.com
  25. Sep  :: hlmcen75n2 realmd: * Set computer password
  26. Sep  :: hlmcen75n2 realmd: * Retrieved kvno '' for computer account in directory: CN=HLMCEN75N2,CN=Computers,DC=hlm,DC=com
  27. Sep  :: hlmcen75n2 realmd: * Modifying computer account: userAccountControl
  28. Sep  :: hlmcen75n2 realmd: * Modifying computer account: operatingSystemVersion, operatingSystemServicePack
  29. Sep  :: hlmcen75n2 realmd: * Modifying computer account: userPrincipalName
  30. Sep  :: hlmcen75n2 realmd: ! Couldn't set service principals on computer account CN=HLMCEN75N2,CN=Computers,DC=hlm,DC=com: 00002083: AtrErr: DSID-03151337, #1:
  31. Sep  :: hlmcen75n2 realmd: #: : DSID-, problem  (ATT_OR_VALUE_EXISTS), data , Att  (servicePrincipalName)
  32. Sep  :: hlmcen75n2 realmd:
  33. Sep  :: hlmcen75n2 realmd: * Discovered which keytab salt to use
  34. Sep  :: hlmcen75n2 realmd: * Added the entries to the keytab: HLMCEN75N2$@HLM.COM: FILE:/etc/krb5.keytab
  35. Sep  :: hlmcen75n2 realmd: * Added the entries to the keytab: host/HLMCEN75N2@HLM.COM: FILE:/etc/krb5.keytab
  36. Sep  :: hlmcen75n2 realmd: * Added the entries to the keytab: host/hlmcen75n2@HLM.COM: FILE:/etc/krb5.keytab
  37. Sep  :: hlmcen75n2 realmd: * Added the entries to the keytab: RestrictedKrbHost/HLMCEN75N2@HLM.COM: FILE:/etc/krb5.keytab
  38. Sep  :: hlmcen75n2 realmd: * Added the entries to the keytab: RestrictedKrbHost/hlmcen75n2@HLM.COM: FILE:/etc/krb5.keytab
  39. Sep  :: hlmcen75n2 realmd: * /usr/bin/systemctl enable sssd.service
  40. Sep  :: hlmcen75n2 realmd: Created symlink from /etc/systemd/system/multi-user.target.wants/sssd.service to /usr/lib/systemd/system/sssd.service.
  41. Sep  :: hlmcen75n2 systemd: Reloading.
  42. Sep  :: hlmcen75n2 realmd: * /usr/bin/systemctl restart sssd.service
  43. Sep  :: hlmcen75n2 systemd: Starting System Security Services Daemon...
  44. Sep  :: hlmcen75n2 sssd: Starting up
  45. Sep  :: hlmcen75n2 sssd[be[hlm.com]]: Starting up
  46. Sep  :: hlmcen75n2 sssd[nss]: Starting up
  47. Sep  :: hlmcen75n2 sssd[pam]: Starting up
  48. Sep  :: hlmcen75n2 systemd: Started System Security Services Daemon.
  49. Sep  :: hlmcen75n2 realmd: * /usr/bin/sh -c /usr/sbin/authconfig --update --enablesssd --enablesssdauth --enablemkhomedir --nostart && /usr/bin/systemctl enable oddjobd.service && /usr/bin/systemctl start oddjobd.service
  50. Sep  :: hlmcen75n2 systemd: Reloading.
  51. Sep  :: hlmcen75n2 systemd: Reloading.
  52. Sep  :: hlmcen75n2 realmd: * Successfully enrolled machine in realm

执行命令:realm list列出域的相关信息,messages日志发现相应的记录信息如下:

  1. Sep  :: hlmcen75n2 dbus[]: [system] Activating via systemd: service name='org.freedesktop.realmd' unit='realmd.service'
  2. Sep  :: hlmcen75n2 systemd: Starting Realm and Domain Configuration...
  3. Sep  :: hlmcen75n2 dbus[]: [system] Successfully activated service 'org.freedesktop.realmd'
  4. Sep  :: hlmcen75n2 systemd: Started Realm and Domain Configuration.

执行命令:realm leave hlm.com,messages日志发现脱域的相关记录如下:

  1. Sep  :: hlmcen75n2 python: // ::39.018384 INFO Event: name=WALinuxAgent, op=HeartBeat, message=, duration=
  2. Sep  :: hlmcen75n2 realmd: * Removing entries from keytab for realm
  3. Sep  :: hlmcen75n2 realmd: * /usr/sbin/sss_cache --users --groups --netgroups --services --autofs-maps
  4. Sep  :: hlmcen75n2 realmd: * Removing domain configuration from sssd.conf
  5. Sep  :: hlmcen75n2 realmd: * /usr/sbin/authconfig --update --disablesssdauth --nostart
  6. Sep  :: hlmcen75n2 systemd: Reloading.
  7. Sep  :: hlmcen75n2 realmd: * /usr/bin/systemctl disable sssd.service
  8. Sep  :: hlmcen75n2 realmd: Removed symlink /etc/systemd/system/multi-user.target.wants/sssd.service.
  9. Sep  :: hlmcen75n2 systemd: Reloading.
  10. Sep  :: hlmcen75n2 realmd: * /usr/bin/systemctl stop sssd.service
  11. Sep  :: hlmcen75n2 systemd: Stopping System Security Services Daemon...
  12. Sep  :: hlmcen75n2 sssd[nss]: Shutting down
  13. Sep  :: hlmcen75n2 sssd[be[hlm.com]]: Shutting down
  14. Sep  :: hlmcen75n2 sssd[pam]: Shutting down
  15. Sep  :: hlmcen75n2 systemd: Stopped System Security Services Daemon.
  16. Sep  :: hlmcen75n2 realmd: * Successfully unenrolled machine from realm

在测试时,发现加域的命令为 "realm join hlm.com -U stone" 时,可以成功加入域,但无法设别DC下的用户,需要在域名前加上DC的主机名,正确加域的命令为 "realm join hlm12r2n1.hlm.com -U stone"

Linux 服务器加入Windows AD的更多相关文章

  1. linux服务器加入windows域时报错Ticket expired

    [root@rusky]# net ads join -U administrator Enter administrator's password: kinit succeeded but ads_ ...

  2. 如何在Linux服务器和windows系统之间上传与下载文件

    Do not let dream just be your dream. 背景:Linux服务器文件上传下载. XShell+Xftp安装包(解压即用)百度网盘链接:https://pan.baidu ...

  3. Linux服务器挂载windows共享文件夹和nas存储

    需求: 公司有3.4T多的小文件需要copy到公司内部的nas存储中,由于小文件太多,数据量太大,整盘copy时速度极慢:只能人工对3.4T多的数据分批次的导入,这对于搞计算机的来说是不能忍受的,于是 ...

  4. 上传文件到阿里云linux服务器(windows到Linux的文件上传)

    在"运行"中输入cmd,打开控制台,切换到刚才Putty的安装目录下,我的是E:\Putty,然后输入pscp命令,我们需要这个命令来实现文件的上传.如下命令格式: F:\PuTT ...

  5. 使用frp进行内网穿透,实现ssh远程访问Linux服务器

    搭建一个完整的frp服务链需要: VPS一台(也可以是具有公网IP的实体机) 访问目标设备(就是你最终要访问的设备) 简单的Linux基础(如果基于Linux配置的话) 我这里使用了腾讯云服务器作为服 ...

  6. windows下运行的linux服务器批量管理工具(带UI界面)

    产生背景: 由于做服务器运维方面的工作,需要一人对近千台LINUX服务器进行统一集中的管理,如同时批量对LINUX服务器执行相关的指令.同时批量对LINUX服务器upload程序包.同时批量对LINU ...

  7. 使用pscp实现Windows 和 Linux服务器间远程拷贝文件

    转自:http://www.linuxidc.com/Linux/2012-05/60966.htm 在工作中,每次部署应用时都需要从本机Windows服务器拷贝文件到Linux上,有时还将Linux ...

  8. 从Windows 服务器通过sync向Linux服务器定时同步文件

    本文解决的是Windows 下目录及文件向Linux同步的问题,Windows向 Windows同步的请参考:http://www.idcfree.com/article-852-1.html 环境介 ...

  9. SVN服务器从Windows迁移到Linux

    gerui 2013.9.14 ge-rui@sohu.com 一.备份VisualSVN项目 1. 现在要使用Linux作为svn服务器,之前是在windows Server 2008上的,用的是V ...

随机推荐

  1. UNITY录制视屏解决方案 - ShareREC For Unity3D

    注意buildSetting里面,AutoGraphic改成opengl es2,否则魅蓝手机上容易出现1/4屏 一.导入项目 1.到Mob官网下载ShareREC For Unity3D 的SDK包 ...

  2. IoC和DI的区别

    ------------------siwuxie095                                     IoC 和 DI 的区别         1.区别     (1)Io ...

  3. springMVC框架的作用

    springMVC:是一个表现层框架 作用:就是从请求中接收传入的参数 将处理后的结果数据返回给页面展示

  4. vue elementui form表单验证

    最近我们公司将前端框架由easyui 改为 vue+elementui .自学vue两周 就开始了爬坑之路.业余时间给大家分享一下心得,技术新手加上第一次分享(小激动),有什么不足的地方欢迎大家指正, ...

  5. java如何集成支付宝移动快捷支付功能

    项目需要,需要在客户端集成支付宝接口.第一次集成,过程还是挺简单的,不过由于支付宝官方文档写的不够清晰,也是走了一些弯路,下面把过程写出来分享给大家.就研究了一下:因为使用支付宝接口,就需要到支付宝官 ...

  6. WebApi参数传递总结(转)

    出处:http://www.cnblogs.com/Juvy/p/3903974.html 在WebAPI中,请求主体(HttpContent)只能被读取一次,不被缓存,只能向前读取的流. 举例子说明 ...

  7. git fatal:HttpRequestException encountered

    网上查了一下发现是Github 禁用了TLS v1.0 and v1.1,必须更新Windows的git凭证管理器,才行. https://github.com/Microsoft/Git-Crede ...

  8. Linux 基础教程 42-xargs命令

        xargs是execute arguments的缩写,主要作用是从标准输入中读取内容,并将此内容传递给它要协助的命令,并作为要协助命令的参数来执行. 基本语法 xargs [选项] [命令] ...

  9. Appium 之处理首次启动手机App时的系统权限弹框

    一般首次启动一个手机App时都会有系统权限弹框,如下图所示: 权限弹窗上面的按钮都是固定的,只需要定位到“ALLOW”按钮,点击就可以了,代码如下: 这里主要用selenium里面的显示等待模块(We ...

  10. 【C++】C++中的操作符重载

    C++中的操作符重载使得对于类对象的操作更加方便和直观,但是对于各种操作符重载的规则以及语法形式,一直以来都是用到哪一个上stackoverflow上查找,在查找了四五次之后,觉得每次麻烦小总结一下. ...